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Certificate ::= SEQUENCE 
tbsCertif icate 
signatureAlgorithm 
signature 



TBSCertif icate; 
Algorithmldentif ier , 
BIT STRING } 



TBSCertif icate ::= SEQUENCE 
version [0] 
serialNumber 
signature 
issuer 
validity 
subj ect 

sub j ectPublicKeyInf o 
issuerUniquelD [1] 
subj ectUniquelD [2] 
extensions [3] 



{ 

Version DEFAULT vl , 

Certif icateSerialNumber, 

Algorithmldentif ier ; 

Name , 

Validity, 

Name, 

SubjectPublicKeyInf o, 

IMPLICIT Uniqueldentif ier OPTIONAL, 
IMPLICIT Uniqueldentif ier OPTIONAL, 
Extensions OPTIONAL } 



Version 



INTEGER { vl (0) , v2 (1) , v3 (2) } 



Certif icateSerialNumber 

Validity ::= SEQUENCE { 
notBef ore 
notAf ter 

Time : := CHOICE { 
utcTime 
generalTime 

Uniqueldentif ier ::= BIT 

Subj ectPublicKeyInf o : := 
algorithm 
subj ectPublicKey 

Extensions SEQUENCE 



= INTEGER 



Time, 
Time } 

UTCTime, 

GeneralizedTime } 

STRING 

SEQUENCE { 

Algorithmldentif ier , 
BIT STRING } 

SIZE (1..MAX) OF Extension 



Extension ::= SEQUENCE 
extnID 
critical 
extnValue 



{ 

OBJECT IDENTIFIER, 
BOOLEAN DEFAULT FALSE, 
OCTET STRING } 



Priort Art 



Figure 5A 



AttributeCertif icate : :~ 
acinf o 

s ignatureAlgor i thm 
signatureValue 



SEQUENCE { 

AttributeCertif icatelnfo, 
Al gor i t hml dent i f i e r , 
BIT STRING 



AttributeCertif icatelnfo ::= 
version 
holder 
issuer 
signature 
serialNumber 
attrCertValidityPeriod 
attributes 
issuerUniquelD 
extensions 



SEQUENCE { 
AttCertVersion DEFAULT vl, 
Holder, 

AttCertlssuer, 
Algorithmldentif ier , 
Certif icateSerialNumber, 
AttCertValidityPeriod, 
SEQUENCE OF Attribute, 
Uniqueldentif ier OPTIONAL, 
Extensions OPTIONAL 



AttCertVersion 



INTEGER { vl (0) , v2 (1) } 



Holder : : = SEQUENCE { 

baseCertif icatelD 



entityName 
objectDigestInf o 



[0] IssuerSerial OPTIONAL, 

-- the issuer and serial number of 

the holder's Public Key Certificate 
[1] GeneralNames OPTIONAL, 
-- the name of the claimant or role 
[2] ObjectDigestInf o OPTIONAL 
-- if present, version must be v2 



ObjectDigestlnfo SEQUENCE { 

digestedObjectType ENUMERATED { 
public Key 
publicKeyCert 
otherOb j ectTypes 



otherObj ectTypelD 
digest Algorithm 
obj ectDigest 



(0) , 

(1) . 

(2) }, 

-- OtherObj ectTypes MUST NOT 
be used in this profile 
OBJECT IDENTIFIER OPTIONAL, 
Algorithmldentif ier , 
BIT STRING 



Priort Art 

Figure 5B 
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AttCertlssuer ::= CHOICE { 

v1 Form GeneralNames, - v1 or v2 
v2Form [0] V2Form - v2 only 

} 

V2Form ::= SEQUENCE { 

IssuerName GeneralNames OPTIONAL, 

baseCertificatelD [0] IssuerSerial OPTIONAL, 
objectDigestlnfo [1] ObjectDigestlnfo OPTIONAL 

- at least one of issuerName, baseCertificatelD 

- or ObjectDigestlnfo MUST be present} 

IssuerSerial ::= SEQUENCE { 

issuer GeneralNames, 

serial CertificateSerialNumber, 

issuerUID Uniqueldentifier OPTIONAL 

} 

AttCertValidityPeriod ::= SEQUENCE { 
notBeforeTime GeneralizedTime, 
notAfterTime GeneralizedTime 

} 

Attribute ::= SEQUENCE { 

type AttributeType, 
values SET OF AttributeValue 
- at least one value is required 

} 

AttributeType ::= OBJECT IDENTIFIER 
AttributeValue ::= ANY DEFINED BY AttributeType 

Priort Art 



Figure 5C 



PKCIocator ::= SEQUENCE { 

holderPKCIocator [0] GeneralNames OPTIONAL. 
authorityPKCIocator [1] GeneralNames OPTIONAL 

} 

wherein GeneralNames is defined by IETF RFC2459 as 
GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName 
GeneralName ::= CHOICE { 



otherName 


[0] 


OtherName; 


rfc822Name 


[1] 


lASString, 


dNSName 


[2] 


lASString, 


x400 Address 


[3] 


ORAddress, 


directoryName 


[4] 


Name, 


edlPartyName 


[5] 


EDIPartyName, 


uniformResourceldentifier 


[6] 


lASString, 


iPAddress 


[7] 


OCTET STRING, 


registered ID 


[8] 


OBJECT IDENTIFIER 



Figure 6 
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BEGIN 



USER AT CLIENT SENDS ATTRIBUTE CERTIFICATE (AC) TO SERVER SUPPORTING TARGET SERVICE 

702 



± 

TARGET SERVICE EXTRACTS DISTRIBUTED TRUST PATH LOCATOR (DTPL) FROM ATTRIBUTE CERTIFICATE 

704 



i 

TARGET SERVICE EXTRACTS LOCATOR FOR USER'S PKC FROM DISTRIBUTED TRUST PATH LOCATOR 

706 



± 

TARGET SERVICE EXTRACTS LOCATOR FOR AC-ISSUING AUTHORITY'S PKC FROM DTPL 

708 



i 

TARGET SERVICE RETRIEVES USER'S PKC FROM SPECIFIED LOCATION 

710 



TARGET SERVICE RETRIEVES AC-ISSUING AUTHORITY'S PKC FROM SPECIFIED LOCATION 

712 



± 

TARGET SERVICE VERIFIES ATTRIBUTE CERTIFICATE USING THE RETRIEVED PKCs 

714 



TARGET SERVICE ALLOWS USER/CLIENT ACCESS TO CONTROLLED RESOURCES IN ACCORDANCE WITH 

ATTRIBUTES IN USER'S ATTRIBUTE CERTIFICATE 
716 




Figure 7 



9/9 

AUS9-2000-0808-US1 



